Blocked website does not show up in NoScript menu

[ReporterX]

1. Go to https://www.avforums.com/forums/
Allow:

Code: Select all

avforums.com

You could see a few images couldn't be displayed properly, e.g.


The culprit is there, but there is no option to permanently allow it.


That CDN site does not show up in the NoScript menu. It looks like a bug to me. Any blocked website should be displayed in the NoScript menu.



2. Is it safe or wise to allow any CDN website?
What do you think?

[barbaz]

1) Expected if you set "Apply these restrictions to whitelisted sites too". You need about:config -> noscript.allowedMimeRegExp to permanently allow that.
If you do *not* have that option set, yeah that would be a bug...

2) No!!!!!!!!!!!!!!!!!!!!!!!!! Absolutely not!!!!!!!!!!!!!!!!!
(That is way too general a question More to the point, do YOU trust the people running the CDN and the people whose content it serves enough to allow potentially dangerous content coming from there?
Also, do you mean generic CDNs like ajax.aspnetcdn / code.jquery / googleapis, or site-specific CDNs like ytimg.com and various cloudfront.net subdomains?)

[ReporterX]

1) Expected if you set "Apply these restrictions to whitelisted sites too". You need about:config -> noscript.allowedMimeRegExp to permanently allow that.
If you do *not* have that option set, yeah that would be a bug...

Why does the CDN site not show up in the NoScript menu?
I expect:
Allow bootstrapcdn.com
Temporary allow bootstrapcdn.com

2) No!!!!!!!!!!!!!!!!!!!!!!!!! Absolutely not!!!!!!!!!!!!!!!!!
(That is way too general a question More to the point, do YOU trust the people running the CDN and the people whose content it serves enough to allow potentially dangerous content coming from there?
Also, do you mean generic CDNs like ajax.aspnetcdn / code.jquery / googleapis, or site-specific CDNs like ytimg.com and various cloudfront.net subdomains?)

Generic, like bootstrapcdn.com, s3.amazonaws.com, where their services are used by tons of subscribers.
Regarding cloudfront, let's say the original subscriber cancels the service, wouldn't it be a risk since the original (whitelisted) subdomain will then be used by a new unknown subscriber?
With the rise of CDNs, it would be great if I can click to do "conditional allow", allow xxxcdn.com if coming from SiteA.com
Thank you.

[barbaz]

Why does the CDN site not show up in the NoScript menu?
I expect:
Allow bootstrapcdn.com
Temporary allow bootstrapcdn.com

Again, make sure you deselected NoScript Options > Embeddings > "Apply these restrictions to whitelisted sites too" if you want that behavior

Generic, like bootstrapcdn.com, s3.amazonaws.com, where their services are used by tons of subscribers.

Don't whitelist those entire domains, because you really don't know what you're allowing in such broad cases!
Whitelist only the specific subdomain(s) used by the site(s) you're interested in, then (optionally)...

Regarding cloudfront, let's say the original subscriber cancels the service, wouldn't it be a risk since the original (whitelisted) subdomain will then be used by a new unknown subscriber?
With the rise of CDNs, it would be great if I can click to do "conditional allow", allow xxxcdn.com if coming from SiteA.com

... if you want to take precautions against this, use ABE

Code: Select all

Site .cloudfront.net
Accept from .site1whereitstrustwort.hy .site2whereitstrustwort.hy
Deny

(or, could replace Deny with the emulated active content blocking I've showed you in prior posts, but I'm too lazy to find it right now )
** Warning: I do basically as posted above for cloudfront (the only difference is I using my personal Adblock Plus fork instead of an ABE rule) and it's a PITA, but it does catch some tracking junk so as a power user you may find it worth it. **

Then if a site cancels their subscription, it doesn't matter because even if a new site gets the exact same CDN domain they can't run active content (unless, of course, they take over the old site's domain too).

[ReporterX]

Why does the CDN site not show up in the NoScript menu?
I expect:
Allow bootstrapcdn.com
Temporary allow bootstrapcdn.com

Again, make sure you deselected NoScript Options > Embeddings > "Apply these restrictions to whitelisted sites too" if you want that behavior

Yup, already unchecked but bootstrapcdn.com does not show up. You can try it out and see if it happens to you too.

... if you want to take precautions against this, use ABE

Code: Select all

Site .cloudfront.net
Accept from .site1whereitstrustwort.hy .site2whereitstrustwort.hy
Deny

(or, could replace Deny with the emulated active content blocking I've showed you in prior posts, but I'm too lazy to find it right now )
** Warning: I do basically as posted above for cloudfront (the only difference is I using my personal Adblock Plus fork instead of an ABE rule) and it's a PITA, but it does catch some tracking junk so as a power user you may find it worth it. **

Then if a site cancels their subscription, it doesn't matter because even if a new site gets the exact same CDN domain they can't run active content (unless, of course, they take over the old site's domain too).

Do you know if ABE has any performance isues?
Let's say if there are over several hundred lines of codes in ABE, will it slow down the browser?
Thank you.

[barbaz]

Do you know if ABE has any performance isues?
Let's say if there are over several hundred lines of codes in ABE, will it slow down the browser?

Can
viewtopic.php?f=23&t=19240

_______________

BTW, Happy New Year ReporterX

[barbaz]

Yup, already unchecked but bootstrapcdn.com does not show up. You can try it out and see if it happens to you too.

Yep, bug, and doesn't appear to be a recent regression (I reproduced with as far back as NoScript 2.6.8.43)...

Allowing the site manually in Options > Whitelist doesn't Allow the font, unless avforums is (Temp-)Allowed (as expected) - but you have no option to Forbid bootstrapcdn in the menu?

[ReporterX]

Yup, already unchecked but bootstrapcdn.com does not show up. You can try it out and see if it happens to you too.

Yep, bug, and doesn't appear to be a recent regression (I reproduced with as far back as NoScript 2.6.8.43)...

Allowing the site manually in Options > Whitelist doesn't Allow the font, unless avforums is (Temp-)Allowed (as expected) - but you have no option to Forbid bootstrapcdn in the menu?

Allowing both sites will not block the font-face.

BTW, happy new year barbaz (although it is late )

[barbaz]

BTW, happy new year barbaz (although it is late )

Thanks and congratulations to you for becoming a Senior Member

[Gravity]

I just wanted to say that I am encountering this bug all the time with FONT@ despite having a site whitelisted. When will this be fixed? Thank you!

[barbaz]

@Giorgio: I'm pretty sure this used to work a while back, would it be helpful if I try to look for an exact regression range in NoScript and/or Gecko (as possible)?

[Giorgio Maone]

@Giorgio: I'm pretty sure this used to work a while back, would it be helpful if I try to look for an exact regression range in NoScript and/or Gecko (as possible)?

I'm not sure about the "bug" we're talking about here.

1. Blocked 3rd party objects requiring the parent page's site to be whitelisted in order to be impicitly allowed by whitelisting their origin is by design. You can release this restriction by toggling the noscript.forbidActiveContentParentTrustCheck about:config preference to false.
2. Not showing a 1st class whitelisting "Allow..." menu item for origins which don't contribute any JavaScript to a certain page, but just embedded objects (which fonts are considered alike), is by design as well, asked long time ago by al_9x, IIRC. In theory this way we can discourage giving unneeded permissions (catch-all JavaScript + active content) where using the "Blocked Object" submenu to grant finer-grained privileges to the needed embeddings suffice, but I concede this can become cumbersome/confusing especially when you are not using the Apply these restrictions on whitelisted sites too Embeddings option (which is not the case reported here, though).

Regarding #2, maybe NoScript could show the whitelisting "Allow..." commands even for sites contributing just embeddings in the default configuration, i.e. as long as Apply these restrictions on whitelisted sites too is unchecked, since this option actually makes whitelisting non-JavaScript sources useless. What do you think?

[barbaz]

2. Not showing a 1st class whitelisting "Allow..." menu item for origins which don't contribute any JavaScript to a certain page, but just embedded objects (which fonts are considered alike), is by design as well, asked long time ago by al_9x, IIRC. In theory this way we can discourage giving unneeded permissions (catch-all JavaScript + active content) where using the "Blocked Object" submenu to grant finer-grained privileges to the needed embeddings suffice, but I concede this can become cumbersome/confusing especially when you are not using the Apply these restrictions on whitelisted sites too Embeddings option (which is not the case reported here, though).

The "bug" in this thread is having this behavior when "Apply these restrictions on whitelisted sites too" is *unchecked*. Here's the post by al_9x you're probably thinking of:

In "apply these restrictions to whitelisted" mode, allowing domains affects only script permissions (is that right?). The objects and iframes are allowed or not based only on the global embeddings settings, irrespective of the whitelist. Therefore, optionally at least, it would make sense to not show the domains for non-script resources in the NoScript menu, since allowing them makes no difference (currently allowing such a domain refreshes the page, needlessly, I think). Hiding them makes the menu better reflect the permission needs of the page and less cluttered.

Which only requests the change when "Apply these restrictions to whitelisted sites too" is *checked* (otherwise it would just lead to confusion, since without that option enabled, site permissions apply to both scripts and embeddings).

Regarding #2, maybe NoScript could show the whitelisting "Allow..." commands even for sites contributing just embeddings in the default configuration, i.e. as long as Apply these restrictions on whitelisted sites too is unchecked, since this option actually makes whitelisting non-JavaScript sources useless. What do you think?

That would be great!
I'd actually like to see all the menu options for such sites when 'Apply these restrictions to whitelisted sites too' is un-checked, not just 'Allow ...', bcause then could, say, opt to Temp-Allow objects from an entire 2nd-level domain (Blocked Objects only offers full addresses) or mark the site as Untrusted (checking again, that option is currently missing as well).